.\"                                      Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH THC-IPv6 8 ATTACK-TOOLKIT6 "Summer 2015"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh        disable hyphenation
.\" .hy        enable hyphenation
.\" .ad l      left justify
.\" .ad b      justify to both left and right margins
.\" .nf        disable filling
.\" .fi        enable filling
.\" .br        insert line break
.\" .sp <n>    insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)
.SH SYNOPSIS
.B tool [options] ...
.TP
.SH DESCRIPTION
This manual page briefly documents each of the
.B attack-toolkit6
tools. Not all options are listed here, to see the full list of
options of each tool please invoke them with
.B -h.
.IP
Note that on Debian (if you read this on Debian) command names are prefixed with
.I atk6-
, so for example the tool
.B alive6
should be invoked as
.I atk6-alive6.
This is a Debian-only modification.
.PP
.TP
.B address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
Converts a mac or ipv4 address to an ipv6 address (link local if no prefix is
given as 2nd option) or, when given an ipv6 address, prints the mac or ipv4
address. Prints all possible variations. Returns \-1 on errors or the number of
variations found.
.TP
.B alive6 <interface> [unicast-or-multicast-address [remote-router]]
Shows alive addresses in the segment. If you specify a remote router, the
packets are sent with a routing header prefixed by fragmentation.
.TP
.B covert_send6 <interface> <target> <file> [port]
Sends the content of FILE covertly to the target.
.TP
.B covert_send6d <interface> <file>
Writes received covertly content to FILE.
.TP
.B denial6 <interface> <destination> <test-case-number>
Performs various denial of service attacks on a target.
.TP
.B detect_sniffer6 <interface> [target-ip]
Tests if systems on the local LAN are sniffing. Works against Windows,
Linux, OS/X and *BSD systems.
.TP
.B dnssecwalk [-e46] <dns-server> <domain>
Performs DNSSEC NSEC walking.
.TP
.B dos_mld <interface>
This tools prevents new ipv6 interfaces to come up, by sending answers
to duplicate ip6 checks (DAD). This results in a DOS for new ipv6
devices.
.TP
.B dos-new-ip6 <interface>
This tools prevents new ipv6 interfaces to come up, by sending answers
to duplicate ip6 checks (DAD). This results in a DOS for new ipv6
devices.
.TP
.B detect-new-ip6 <interface> [scriptname]
This tools detects new ipv6 addresses joining the local network.  If
scriptname is supplied, it is executed with the detected IPv6 address as
option.
.TP
.B dnsdict6 [-t THREADS] <domain> [dictionary-file]
Enumerates a domain for DNS entries, it uses a dictionary file if supplied
or a built-in list otherwise.
.TP
.B dnsrevenum6 <dns-server> <ipv6-address>
Performs a fast reverse DNS enumeration.
.TP
.B dump_router6 <interface>
Dumps all local routers and their information.
.TP
.B dump_dhcp6 <interface>
Dumps all DHCPv6 servers and their information
.TP
.B exploit6 <interface> <destination> [test-case-number]
Performs exploits of various CVE known IPv6 vulnerabilities on the destination.
.TP
.B extract_hosts6 <file>
Prints the host parts of ipv6 addresses in file.
.TP
.B extract_networks6 <interface>
Prints the networks found in file.
.TP
.B fake_advertise6 <interface> <ip-address> [target-address [own-mac-address]]
Advertise ipv6 address on the network (with own mac if not defined)
sending it to the all-nodes multicast address if no target specified.
.TP
.B fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
Fake DHCPv6 server. Used to configure an address and set a DNS server.
.TP
.B fake_dns6d <interface> <ipv6-address>
Fake DNS server that serves the same IPv6 address to any lookup request.
.TP
.B fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
Send false DNS update requests.
.TP
.B fake_mipv6 <interface> <home-address> <home-agent-address> <care-of-address>
If the mobile IPv6 home-agent is mis-configured to accept MIPV6 updates without
IPSEC, this will redirect all packets for home-address to care-of-address.
.TP
.B fake_mld6 <interface> <multicast-address> [[target-address] [[ttl] [[own-ip] [own-mac-address]]]]
Advertise yourself in a multicast group of your choice.
.TP
.B fake_mld26 [-l] <interface> <add|delete|query> [multicast-address [target-address [ttl [own-ip [own-mac-address [destination-mac-address]]]]]]
This uses the MLDv2 protocol. Only a subset of what the protocol is able to do is possible to implement via a command line.
.TP
.B fake_mldrouter6 [-l] <interface> <advertise|solicitate|terminate> [own-ip [own-mac-address]]
Announce, delete or solicitate MLD router - yourself or others.
.TP
.B fake_pim6 [-t ttl] [-s src6] [-d dst6] <interface> {<hello> [dr_priority]|{join|prune} <neighbor6> <multicast6> <target6>}
The hello command takes optionally the DR priority (default: 0).
.TP
.B fake_router6 <interface> <router-ip-link-local
network-address/prefix-length> <mtu> [mac-address]
Announce yourself as a router and try to become the default router.  If
a non-existing mac-address is supplied, this results in a DOS.
.TP
.B fake_router26 <interface>
Like
.B fake_router6
with more options available.
.TP
.B fake_solicitate6 <interface> <solicited-ip>
Solicits IPv6 address on the network, sending it to the all-nodes
multicast address.
.TP
.B firewall6 [-u] <interface> <destination> <port> [test-case-no]
Performs various ACL bypass attempts to check implementations.
Defaults to TCP ports, option \-u switches to UDP.
For all test cases to work, ICMPv6 ping to the destination must be allowed.
.TP
.B flood_advertise6 <interface>
Flood the local network with neighbor advertisements.
.TP
.B flood_dhcpc6 <interface> [domain-name]
DHCP client flooder. Use to deplete the IP address pool a DHCP6 server
is offering. Note: if the pool is very large, this is rather
senseless.
.TP
.B flood_mld6 <interface>
Flood the local network with MLD reports.
.TP
.B flood_mld26 <interface>
Flood the local network with MLDv2 reports.
.TP
.B flood_mldrouter6 <interface>
Flood the local network with MLD router advertisements.
.TP
.B flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
Flood a target with ICMPv6 redirects
.TP
.B flood_router6 <interface>
Flood the local network with router advertisements.
.TP
.B flood_router26 <interface>
Similar to
.B flood_router6
but with more options available.
.TP
.B flood_rs6 [-sS] interface [target]
Flood a network with ICMPv6 router solicitation messages
.TP
.B flood_solicitate6 <interface> [target-ip]
Flood the network with neighbor solicitations.
.TP
.B four2six [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src ipv4-dst [port]
Send (spoofed) packets over a 4to6 tunnel (IPv4 packets over IPv6 networks)
.TP
.B fragmentation6 <interface> <target-ip>
Performs fragment firewall and implementation checks, including
denial-of-service.
.TP
.B fuzz_ip6 [-x] [-t number | -T number] [-p number] [-IFSDHRJ] [-1|-2|-3|-4|-5|-6|-7] <interface> <unicast-or-multicast-address> [address-in-data-pkt]
Fuzzes an icmp6 packet.
.TP
.B fuzz_dhcps6 [-t number | -T number] [-e number | -T number] [-p number] [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
Fuzzes a DHCPv6 server on specified packet types.
.B implementation6 <interface> <destination> [test-case-number]
Performs some ipv6 implementation checks, can be used to test firewalls too.
.TP
.B implementation6d <interface>
Identifies test packets by the implementation6 tool, useful to check what
packets passed a firewall.
.TP
.B inject_alive6 [-ap] <interface>
This tool answers to keep-alive requests on PPPoE and 6in4 tunnels; for PPPoE\nit also sends keep-alive requests.
Note that the appropriate environment variable THC_IPV6_{PPPOE|6IN4} must be set.
Option \-a will actively send alive requests every 15 seconds.
Option \-p will not send replies to alive requests.
.TP
.B inverse_lookup6 <interface> <mac-address>
Performs an inverse address query, to get the IPv6 addresses that are
assigned to a MAC address. Note that only few systems support this yet.
.TP
.B kill_router6 <interface> <target-ip>
Announce that target router is going down to delete it from the
routing tables. If you supply a '*' as target-ip, this tool will sniff
the network for RAs and immediately send the kill packet.
.TP
.B ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
Flood the target /64 network with ICMPv6 TooBig error messages.
This tool version is manyfold more effective than ndpexhaust6.
\-a      add a hop-by-hop header with router alert.
\-c      do not calculate the checksum to save time.
\-p      send ICMPv6 Echo Requests.
\-P      send ICMPv6 Echo Reply.
\-T      send ICMPv6 Time-to-live-exceeded.
\-U      send ICMPv6 Unreachable (no route).
\-r      randomize the source from your /64 prefix.
\-R      randomize the source fully.
\-s sourceip6  use this as source ipv6 address.
.TP
.B ndpexhaust6 <interface> <target-network>
Randomly pings IPs in target network.
.TP
.B node_query6 <interface> <target-ip>
Sends an ICMPv6 node query request to the target and dumps the replies.
.TP
.B parasite6 <interface> [fake-mac]
This is an "ARP spoofer" for IPv6, redirecting all local traffic to your
own system (or nirvana if fake-mac does not exist) by answering falsely
to Neighbor Solicitation requests, specifying FAKE-MAC results in a local DOS.
.TP
.B passive_discovery6 <interface> [scriptname]
Passively sniffs the network and dump all client's IPv6 addresses
detected. If scriptname is supplied, it is called with the detected
IPv6 address as first and the interface as second parameters.
.TP
.B randicmp6 <interface> <target-ip>
Sends all ICMPv6 type and code combinations to target.
.TP
.B redir6 <interface> <src-ip> <target-ip> <original-router> <new-router> [new-router-mac]
Implant a route into src-ip, which redirects all traffic to target-ip to
new-ip. You must know the router which would handle the route.
If the new-router-mac does not exist, this results in a DOS.
.TP
.B redirsniff6 <interface> <victim-ip> <destination-ip> <original-router> [<new-router> [new-router-mac]]
Implant a route into victim-ip, which redirects all traffic to destination-ip to
new-router. You must know the router which would handle the route.
If the new-router and new-router-mac does not exist, this results in a DoS.
.TP
.B rsmurf6 <interface> <victim-ip>
Smurfs the local network of the victim. Note: this depends on an
implementation error, currently only verified on Linux (fixed in current versions).
Evil: "ff02::1" as victim will DOS your local LAN completely.
.TP
.B smurf6 <interface> <victim-ip> [multicast-network-address]
Smurf the target with ICMPv6 echo replies. Target of echo request is the
local all-nodes multicast address if not specified.
.TP
.B sendpees6 <interface> <key_length> <prefix> <victim-ip>
Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures.
.TP
.B sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
Multithreaded version of
.B sendpees6.
.TP
.B trace6 [-d] <interface> targetaddress [port]
A basic but very fast traceroute6 program.
.TP
.B thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
Craft your special ICMPv6 echo request packet.
.TP
.B thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
Flood the target port with TCP-SYN packets. If you supply "x" as port,
it is randomized.
.TP
.B toobig6 <interface> <target-ip> <existing-ip> <mtu>
Implants the specified mtu on the target
.SH SEE ALSO
.BR nmap (1),
.BR amap (1),
.BR dsniff (8).
.SH AUTHOR
thc-ipv6 was written by van Hauser <vh@thc.org> / THC
.PP
The homepage for this toolkit is: https://github.com/vanhauser-thc/thc-ipv6
.PP
This manual page was written by Maykel Moya <mmoya@mmoya.org> and
Arturo Borrero Gonzalez <arturo@debian.org>, for the Debian
project (but may be used by others). It's based on previous work by
Michael Gebetsroither <gebi@grml.org>.
